Series: Additional Controls in ISO/IEC 27019:2024 for Energy Utilities 

Technological Controls – Part II 

The second edition of the information security standard ISO/IEC 27019:2024 enhances the controls of ISO/IEC 27002:2022 by providing specific guidance for the energy utility industry. It also provides a set of 12 additional controls that aim to address the security needs of energy utilities. Two of those controls are organizational, four are physical and the remaining six are technological in nature. 

In the previous article, we analyzed two technological controls of ISO/IEC 27019:2024. In this article and the next, we will look at the implementation aspects of the remaining technological controls. 

Control 8.37: ENR – Securing process control data communication 

This control aims to protect information which is transmitted via process control data communication. Implementation of this control would help the organization protect the confidentiality, integrity and availability of sensitive information by preventing and detecting any attempted security breaches of its systems and networks. 

Several technical standards and protocols exist for process control data communication, like IEC 60870-5, IEC 60870-6, IEEE 1815, IEC 61850, Modbus etc. While some of them include security features, others do not have any inherent security function. Energy utilities should assess the risks of using these protocols and implement necessary controls for mitigating the same, including cryptographic measures and monitoring systems. 

The contents and implementation of the following security policies may be impacted by this control: 

• Risk Management Policy – An organization should consider the risks arising from the use of process control data communication protocols, and prepare appropriate risk treatment plans. 

• Cryptographic Control Usage Policy – This policy defines the cryptographic measures that need to be implemented for reducing the risks of process control data communication. 

  
  

Control 8.38: ENR – Logical connection of external process control systems 

This control aims to protect control systems of energy utilities, which have logical connections with external parties, from interference, manipulation and compromise. Implementation of this control would help the organization protect the confidentiality, integrity and availability of its control systems by preventing and detecting any attempted security breaches of its information systems and networks. 

Energy utilities should assess the risks of logically connecting its control systems with external parties (like other utilities, grid operators, third-party software providers, industrial clients, regulatory bodies etc.). It should be ensured that only authorized communications and information can be exchanged over the logical links. This can be realized by implementing appropriate filtering devices (like gateways, proxies, firewalls etc.). Moreover, connections should only be established at such connection points which can be securely operated and monitored. 

The contents and implementation of the following security policies and procedures may be impacted by this control: 

• Risk Management Policy – An organization should assess the risks of logical connection of its control systems with external parties, and prepare appropriate risk treatment plans. 

• Information Exchange Policy – This defines the rules for secure exchange of information with external parties. 

• Procedure for Monitoring Areas of Risk – This procedure defines the steps to detect unauthorized information exchange activities by monitoring the connection points. 

  
  

How Sujosu Technology Can Help 

Sujosu Technology helps organizations design and implement systems that prioritize cyber security, data privacy and compliance. Our services include: 

• Risk Assessments: Identifying cyber security and privacy requirements and vulnerabilities in applications and infrastructure. 

• Countermeasures and Solutions: Providing tailored strategies to prevent, detect and recover from potential attacks. 

• Compliance Documentation: Helping you comply with the requirements of specific standards and regulations by compiling policies, procedures and other relevant manuals. 

• Training and Awareness: Equipping your team with the knowledge to address cyber security and privacy challenges effectively. 

  
  

With Sujosu Technology’s expertise, your organization can build systems that are secure and resilient against security and privacy breaches. We can also help you achieve compliance with relevant standards and legislations. Besides, we organize webinars and publish insightful articles to create awareness on various aspects of cyber security and data privacy. 

Partner with Sujosu Technology 

Protect your data and ensure compliance with Sujosu Technology’s state-of-the-art cyber security and privacy services. Stay ahead of challenges and foster trust with your stakeholders.